| msg177541 - (view) |
Author: Antoine Pitrou (pitrou) *  |
Date: 2012-12-15 17:31 |
| Recent OpenSSL versions (e.g. 1.0.1c) have explicit support for TLS 1.1 and (presumably, although undocumented-ly) TLS 1.2 through TLSv1_1_method() and TLSv1_2_method(). It should be easy to add such support to the ssl module (although figuring out how exactly protocol version compatibility is handled - for the docs - might be a challenge). |
|
|
| msg184300 - (view) |
Author: Michele Orrù (maker) * |
Date: 2013-03-16 08:48 |
| (ping) |
|
|
| msg184341 - (view) |
Author: Antoine Pitrou (pitrou) * |
Date: 2013-03-16 18:32 |
| Michele, your latest patch doesn't apply on the default branch. However, I'll still do a review. |
|
|
| msg184342 - (view) |
Author: Antoine Pitrou (pitrou) * |
Date: 2013-03-16 18:37 |
| Ok, some review comments: + .. warning:: requires at least openssl version 1.0.1 + .. warning:: requires at least openssl version 1.0.1 The warnings are not warranted here. You might simply say "Available only with openssl version 1.0.1+." +def skip_if_unsupported_tlsv1_1(func): This decorator looks like it would be impressed in a simpler way using unittest.skipIf (or unittest.skipUnless). + try_protocol_combo(ssl.PROTOCOL_TLSv1_1, ssl.PROTOCOL_SSLv23, False, + client_options=ssl.OP_NO_TLSv1_1) Not sure why you test only with OP_NO_TLSv1_1. It would be nice to check that connecting succeeds from a TLSv1_1 client on a SSLv23 server. |
|
|
| msg184745 - (view) |
Author: Michele Orrù (maker) * |
Date: 2013-03-20 08:05 |
| synced with tip > This decorator looks like it would be impressed in a simpler way, > using unittest.skipIf (or unittest.skipUnless). > It would be nice to check that connecting succeeds from a > TLSv1_1 client on a SSLv23 server. yep, thanks. > Not sure why you test only with OP_NO_TLSv1_1. I've just emulated older tests against older TSL protocols. Is there anything wrong you see? PS: I have removed ssl.PROTOCOL_* from test_constants, since they are already used in the global variable PROTOCOLS. |
|
|
| msg185300 - (view) |
Author: Michele Orrù (maker) * |
Date: 2013-03-26 20:49 |
| .. sorry for all these trivialities. |
|
|
| msg185301 - (view) |
Author: Antoine Pitrou (pitrou) * |
Date: 2013-03-26 20:56 |
| Thanks. I don't know what happened, but the last patch fails to apply: $ patch -p1 < .3.patch patching file Doc/library/ssl.rst patching file Doc/whatsnew/3.4.rst patching file Lib/ssl.py patching file Lib/test/test_ssl.py patching file Misc/NEWS Hunk #1 succeeded at 1005 (offset 46 lines). patching file Modules/_ssl.c patch: **** malformed patch at line 291: struct py_ssl_error_code { $ hg import --no-commit .3.patch application de .3.patch abandon : bad hunk #2 @@ -73,7 +78,13 @@ (7 7 15 13) |
|
|
| msg185305 - (view) |
Author: Antoine Pitrou (pitrou) * |
Date: 2013-03-26 21:21 |
| Ok, yet another issue :-) Testing on a machine with OpenSSL 1.0.0 gives the following failures. I think you mixed up skipIf / skipUnless. ====================================================================== ERROR: test_protocol_sslv2 (test.test_ssl.ThreadedTests) Connecting to an SSLv2 server with various client options ---------------------------------------------------------------------- Traceback (most recent call last): File "/home/antoine/cpython/default/Lib/test/test_ssl.py", line 87, in f return func(*args, **kwargs) File "/home/antoine/cpython/default/Lib/test/test_ssl.py", line 1493, in test_protocol_sslv2 try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv23, True) File "/home/antoine/cpython/default/Lib/test/test_ssl.py", line 1363, in try_protocol_combo chatty=False, connectionchatty=False) File "/home/antoine/cpython/default/Lib/test/test_ssl.py", line 1301, in server_params_test s.connect((HOST, server.port)) File "/home/antoine/cpython/default/Lib/ssl.py", line 582, in connect self._real_connect(addr, False) File "/home/antoine/cpython/default/Lib/ssl.py", line 572, in _real_connect self.do_handshake() File "/home/antoine/cpython/default/Lib/ssl.py", line 552, in do_handshake self._sslobj.do_handshake() ConnectionResetError: [Errno 104] Connection reset by peer ====================================================================== ERROR: test_protocol_tlsv1_1 (test.test_ssl.ThreadedTests) Connecting to a TLSv1.1 server with various client options. ---------------------------------------------------------------------- Traceback (most recent call last): File "/home/antoine/cpython/default/Lib/test/test_ssl.py", line 87, in f return func(*args, **kwargs) File "/home/antoine/cpython/default/Lib/test/test_ssl.py", line 1582, in test_protocol_tlsv1_1 try_protocol_combo(ssl.PROTOCOL_TLSv1_1, ssl.PROTOCOL_TLSv1_1, True) AttributeError: 'module' object has no attribute 'PROTOCOL_TLSv1_1' ====================================================================== ERROR: test_protocol_tlsv1_2 (test.test_ssl.ThreadedTests) Connecting to a TLSv1.2 server with various client options. ---------------------------------------------------------------------- Traceback (most recent call last): File "/home/antoine/cpython/default/Lib/test/test_ssl.py", line 87, in f return func(*args, **kwargs) File "/home/antoine/cpython/default/Lib/test/test_ssl.py", line 1602, in test_protocol_tlsv1_2 try_protocol_combo(ssl.PROTOCOL_TLSv1_2, ssl.PROTOCOL_TLSv1_2, True, AttributeError: 'module' object has no attribute 'PROTOCOL_TLSv1_2' |
|
|
| msg185308 - (view) |
Author: Antoine Pitrou (pitrou) * |
Date: 2013-03-26 21:32 |
| Here is an updated patch fixing the aforementioned issue (as well as another small issue with the set_ciphers("ALL") hack). |
|
|
| msg185470 - (view) |
Author: Roundup Robot (python-dev)  |
Date: 2013-03-28 21:29 |
| New changeset 02a89bd646ca by Antoine Pitrou in branch 'default': Issue #16692: The ssl module now supports TLS 1.1 and TLS 1.2. Initial patch by Michele Orrù. http://hg.python.org/cpython/rev/02a89bd646ca |
|
|
| msg185471 - (view) |
Author: Antoine Pitrou (pitrou) * |
Date: 2013-03-28 21:30 |
| Finally committed. Thanks for the patches! |
|
|
| msg189873 - (view) |
Author: Thom Nichols (Thom.Nichols) |
Date: 2013-05-23 18:48 |
| Is there any chance of this being backported to Python 2.7? Given NIST's complete deprecation of SHA1 and TLS 1.0 by end of 2013, I imagine there are at least a few folks who can't upgrade to Python 3.x, but need TLS 1.2 support. I think Ruby just recently implemented TLS 1.2 in 2.0, and backported it to the 1.9.3 tree. Thanks. |
|
|
| msg189879 - (view) |
Author: Antoine Pitrou (pitrou) * |
Date: 2013-05-23 21:24 |
| > Is there any chance of this being backported to Python 2.7? Given > NIST's complete deprecation of SHA1 and TLS 1.0 by end of 2013, I > imagine there are at least a few folks who can't upgrade to Python > 3.x, but need TLS 1.2 support. I think Ruby just recently implemented > TLS 1.2 in 2.0, and backported it to the 1.9.3 tree. Thanks. No, sorry. 2.7 only gets bug fixes. |
|
|
| msg192249 - (view) |
Author: Mark Kubacki (markk) |
Date: 2013-07-03 18:02 |
| Raw backport for Python 2.7. ›raw‹ like in some options are in _ssl only. (_ssl.{err_names_to_codes,err_codes_to_names,lib_codes_to_names,…}) |
|
|
| msg192250 - (view) |
Author: Antoine Pitrou (pitrou) * |
Date: 2013-07-03 18:03 |
| Ha. If you're insisting on backporting SSL stuff, I think the best option would be to create a third-party backport of the whole ssl module on PyPI. |
|
|
| msg194404 - (view) |
Author: Wes Turner (westurner) * |
Date: 2013-08-04 18:12 |
| http://docs.python.org/3.4/whatsnew/3.4.html#ssl re: Backporting to Python 2.7: maybe something like: backports.ssl (like backports.ssl_match_hostname) https://pypi.python.org/pypi/backports/ |
|
|